Quick Answer: Each config below is a complete, working Xray configuration. Copy the JSON, replace
YOUR-UUID,YOUR-DOMAIN, and key values with your own, save asconfig.json, run withxray run -c config.json. All configs include sniffing, routing, and DNS.
Need a VPS? Vultr (free credit), DigitalOcean ($200 free credit), or RackNerd (cheap annual deals).
How to Use These Configs
Generate Required Values
Before using any config, generate your keys:
# Install Xray (if not using a panel)
bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install
# Generate UUID (for VLESS/VMess)
xray uuid
# Generate Reality key pair (for VLESS+Reality)
xray x25519
# Output: Private key (server) and Public key (client)
# Generate Shadowsocks 2022 key
openssl rand -base64 16 # For aes-128-gcm
openssl rand -base64 32 # For aes-256-gcm
# Generate short ID for Reality
openssl rand -hex 4Apply a Config
# Save config
sudo nano /usr/local/etc/xray/config.json
# Paste the config, replace placeholder values
# Test config
xray run -test -c /usr/local/etc/xray/config.json
# Restart Xray
sudo systemctl restart xrayIf Using 3X-UI or Marzban
These panels manage the Xray config through their web UI. You don't edit JSON directly — instead, add inbounds through the panel interface. The configs below show what the panel creates under the hood, and are useful for understanding, debugging, or standalone setups.
Config 1: VLESS + Reality (Best for Censorship Bypass)
The most censorship-resistant TCP-based setup. Traffic is indistinguishable from a real HTTPS connection to the target website.
Server:
{
"log": { "loglevel": "warning" },
"dns": {
"servers": ["https+local://1.1.1.1/dns-query"]
},
"inbounds": [
{
"tag": "vless-reality",
"listen": "0.0.0.0",
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "YOUR-UUID-HERE",
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false,
"dest": "www.yahoo.com:443",
"xver": 0,
"serverNames": ["www.yahoo.com", "yahoo.com"],
"privateKey": "YOUR-PRIVATE-KEY",
"shortIds": ["YOUR-SHORT-ID"]
}
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls", "quic"]
}
}
],
"outbounds": [
{ "tag": "direct", "protocol": "freedom" },
{ "tag": "block", "protocol": "blackhole" }
],
"routing": {
"rules": [
{
"type": "field",
"outboundTag": "block",
"port": "25,465,587"
},
{
"type": "field",
"outboundTag": "block",
"protocol": ["bittorrent"]
}
]
}
}Client URI:
vless://YOUR-UUID@YOUR-SERVER-IP:443?security=reality&sni=www.yahoo.com&fp=chrome&pbk=YOUR-PUBLIC-KEY&sid=YOUR-SHORT-ID&flow=xtls-rprx-vision&type=tcp#VLESS-RealityChoosing a Reality target (dest/SNI):
- Pick a website on the same hosting provider as your VPS
- Test with:
xray tls ping your-target.com - Avoid widely-known defaults (yahoo.com, google.com) -- censors fingerprint these
- Good choices:
www.microsoft.com,www.samsung.com,dl.google.com,www.logitech.com - For Iran: test that the target works from inside Iran before deploying
When to use: Primary setup for Iran, China, Russia. Best DPI resistance on TCP.
Config 2: VLESS + WebSocket + TLS (For Cloudflare CDN)
Route traffic through Cloudflare CDN to hide your server IP. Censors see Cloudflare IPs, not yours.
Server:
{
"log": { "loglevel": "warning" },
"dns": {
"servers": ["https+local://1.1.1.1/dns-query"]
},
"inbounds": [
{
"tag": "vless-ws",
"listen": "0.0.0.0",
"port": 2083,
"protocol": "vless",
"settings": {
"clients": [
{ "id": "YOUR-UUID-HERE" }
],
"decryption": "none"
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/vless-ws"
},
"security": "none"
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
}
}
],
"outbounds": [
{ "tag": "direct", "protocol": "freedom" },
{ "tag": "block", "protocol": "blackhole" }
],
"routing": {
"rules": [
{ "type": "field", "outboundTag": "block", "port": "25,465,587" }
]
}
}Cloudflare setup:
- Domain on Cloudflare with A record → your VPS IP (orange cloud ON)
- SSL mode: Full
- Port 2083 is a Cloudflare-supported HTTPS port
Client URI:
vless://[email protected]:2083?security=tls&sni=YOUR-DOMAIN.COM&type=ws&path=%2Fvless-ws&host=YOUR-DOMAIN.COM#VLESS-WS-CDNFor clean Cloudflare IPs: Replace the domain in the client address with a clean IP, keep SNI and Host as your domain. See cfray guide.
Config 3: VMess + WebSocket + TLS (Legacy — Wide Client Support)
VMess is the original V2Ray protocol. Use when clients don't support VLESS.
Server:
{
"log": { "loglevel": "warning" },
"inbounds": [
{
"tag": "vmess-ws",
"listen": "0.0.0.0",
"port": 2087,
"protocol": "vmess",
"settings": {
"clients": [
{ "id": "YOUR-UUID-HERE", "alterId": 0 }
]
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/vmess-ws"
},
"security": "none"
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
}
}
],
"outbounds": [
{ "tag": "direct", "protocol": "freedom" },
{ "tag": "block", "protocol": "blackhole" }
]
}
Important: The security: none in WS configs above is only safe when behind Cloudflare CDN (which handles TLS). If connecting directly without CDN, add TLS or traffic is unencrypted and detectable by DPI.
Important: Always set alterId: 0 for modern VMess. Non-zero alterId is legacy and insecure.
Config 4: Trojan + WebSocket
Trojan mimics HTTPS traffic. Useful when VLESS is specifically targeted.
Server:
{
"log": { "loglevel": "warning" },
"inbounds": [
{
"tag": "trojan-ws",
"listen": "0.0.0.0",
"port": 2096,
"protocol": "trojan",
"settings": {
"clients": [
{ "password": "YOUR-STRONG-PASSWORD" }
]
},
"streamSettings": {
"network": "ws",
"wsSettings": {
"path": "/trojan-ws"
},
"security": "none"
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
}
}
],
"outbounds": [
{ "tag": "direct", "protocol": "freedom" },
{ "tag": "block", "protocol": "blackhole" }
],
"routing": {
"rules": [
{ "type": "field", "outboundTag": "block", "port": "25,465,587" }
]
}
}Works behind Cloudflare CDN on supported HTTPS ports (2096).
Config 5: Shadowsocks 2022
Modern Shadowsocks with AEAD 2022 encryption:
Server:
{
"log": { "loglevel": "warning" },
"inbounds": [
{
"tag": "ss-2022",
"listen": "0.0.0.0",
"port": 8388,
"protocol": "shadowsocks",
"settings": {
"method": "2022-blake3-aes-128-gcm",
"password": "YOUR-BASE64-KEY",
"network": "tcp,udp",
"clients": [
{ "password": "CLIENT-BASE64-KEY" }
]
}
}
],
"outbounds": [
{ "tag": "direct", "protocol": "freedom" },
{ "tag": "block", "protocol": "blackhole" }
],
"routing": {
"rules": [
{ "type": "field", "outboundTag": "block", "port": "25,465,587" }
]
}
}Generate keys:
# Server key
openssl rand -base64 16
# Client key (different from server key)
openssl rand -base64 16Client URI:
ss://BASE64_ENCODED@YOUR-IP:8388#SS-2022
# Where BASE64_ENCODED = base64("2022-blake3-aes-128-gcm:SERVER-KEY:CLIENT-KEY")
# Generate with: echo -n "2022-blake3-aes-128-gcm:SERVER-KEY:CLIENT-KEY" | base64Config 6: Multi-Protocol Server (All-in-One)
Run VLESS+Reality, VLESS+WS (CDN), VMess+WS, Trojan, and Shadowsocks on ONE server:
{
"log": { "loglevel": "warning" },
"dns": {
"servers": [
{ "address": "https+local://1.1.1.1/dns-query" }
]
},
"inbounds": [
{
"tag": "vless-reality",
"port": 443,
"protocol": "vless",
"settings": {
"clients": [{ "id": "UUID-1", "flow": "xtls-rprx-vision" }],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"dest": "www.yahoo.com:443",
"serverNames": ["www.yahoo.com"],
"privateKey": "REALITY-PRIVATE-KEY",
"shortIds": ["SHORT-ID"]
}
},
"sniffing": { "enabled": true, "destOverride": ["http", "tls", "quic"] }
},
{
"tag": "vless-ws-cdn",
"port": 2083,
"protocol": "vless",
"settings": {
"clients": [{ "id": "UUID-1" }],
"decryption": "none"
},
"streamSettings": {
"network": "ws",
"wsSettings": { "path": "/vless-ws" }
},
"sniffing": { "enabled": true, "destOverride": ["http", "tls"] }
},
{
"tag": "vmess-ws",
"port": 2087,
"protocol": "vmess",
"settings": {
"clients": [{ "id": "UUID-1", "alterId": 0 }]
},
"streamSettings": {
"network": "ws",
"wsSettings": { "path": "/vmess-ws" }
}
},
{
"tag": "trojan-ws",
"port": 2096,
"protocol": "trojan",
"settings": {
"clients": [{ "password": "TROJAN-PASSWORD" }]
},
"streamSettings": {
"network": "ws",
"wsSettings": { "path": "/trojan-ws" }
}
},
{
"tag": "ss-2022",
"port": 8388,
"protocol": "shadowsocks",
"settings": {
"method": "2022-blake3-aes-128-gcm",
"password": "SS-SERVER-KEY",
"clients": [{ "password": "SS-CLIENT-KEY" }],
"network": "tcp,udp"
}
}
],
"outbounds": [
{ "tag": "direct", "protocol": "freedom" },
{ "tag": "block", "protocol": "blackhole" },
{
"tag": "warp",
"protocol": "socks",
"settings": {
"servers": [{ "address": "127.0.0.1", "port": 40000 }]
}
}
],
"routing": {
"domainStrategy": "AsIs",
"rules": [
{ "type": "field", "outboundTag": "block", "port": "25,465,587" },
{ "type": "field", "outboundTag": "block", "protocol": ["bittorrent"] },
{
"type": "field",
"outboundTag": "warp",
"domain": ["google.com", "googleapis.com", "openai.com", "chatgpt.com"]
}
]
}
}This config:
- VLESS+Reality on 443 (direct, best DPI resistance)
- VLESS+WS on 2083 (for Cloudflare CDN fallback)
- VMess+WS on 2087 (legacy client support)
- Trojan+WS on 2096 (alternative protocol)
- Shadowsocks on 8388 (simple encrypted proxy)
- Routes Google/ChatGPT through WARP for clean IP
- Blocks SMTP spam and BitTorrent
Config 7: Routing Rules
Block Ads
{
"routing": {
"rules": [
{
"type": "field",
"outboundTag": "block",
"domain": [
"geosite:category-ads-all"
]
}
]
}
}Block Torrents + Spam
{
"routing": {
"rules": [
{ "type": "field", "outboundTag": "block", "protocol": ["bittorrent"] },
{ "type": "field", "outboundTag": "block", "port": "25,465,587" }
]
}
}Geo-Block Countries
{
"routing": {
"rules": [
{
"type": "field",
"outboundTag": "block",
"ip": ["geoip:ir", "geoip:cn", "geoip:ru"]
}
]
}
}Route Through WARP (Clean IP)
{
"outbounds": [
{ "tag": "direct", "protocol": "freedom" },
{
"tag": "warp",
"protocol": "socks",
"settings": {
"servers": [{ "address": "127.0.0.1", "port": 40000 }]
}
}
],
"routing": {
"rules": [
{
"type": "field",
"outboundTag": "warp",
"domain": ["google.com", "openai.com", "chatgpt.com", "netflix.com"]
}
]
}
}Requires WARP running in proxy mode on the server. See WARP Setup.
Full routing guide: Xray Routing Guide
Config 8: Fragment (Iran-Specific DPI Evasion)
Fragment splits the TLS ClientHello into smaller pieces to evade Iranian DPI:
Client-side config (add to streamSettings in client apps):
{
"streamSettings": {
"sockopt": {
"dialerProxy": "fragment",
"tcpKeepAliveIdle": 100,
"tcpNoDelay": true
}
}
}{
"outbounds": [
{
"tag": "fragment",
"protocol": "freedom",
"settings": {
"fragment": {
"packets": "tlshello",
"length": "10-100",
"interval": "10-50"
}
}
}
]
}Both blocks above go in the same client config. The main outbound references the fragment outbound by its tag. Fragment splits the TLS handshake, then traffic flows through it.
In v2rayNG: Settings → enable Fragment, set length 10-100, interval 10-50.
Firewall for All Configs
# Open all ports used above
sudo ufw allow 443/tcp # VLESS+Reality
sudo ufw allow 2083/tcp # VLESS+WS (CDN)
sudo ufw allow 2087/tcp # VMess+WS
sudo ufw allow 2096/tcp # Trojan+WS
sudo ufw allow 8388/tcp # Shadowsocks
sudo ufw allow 8388/udp # Shadowsocks UDP
# Verify
sudo ufw statusTesting Your Config
# Validate config syntax
xray run -test -c /usr/local/etc/xray/config.json
# Check Xray is running
systemctl status xray
# Check ports are listening
ss -tlnp | grep xray
# Test from client
curl --proxy socks5h://127.0.0.1:1080 https://ifconfig.meRelated Guides
- 3X-UI Panel Setup — manage configs via web UI
- Marzban Panel Setup — modern panel alternative
- Xray Routing Guide — advanced routing
- Proxy Client Setup — connect from phone/PC
- Cloudflare WARP Setup — WARP as outbound
- Clean Cloudflare IPs — find working CDN IPs
- Hysteria2 Setup — QUIC alternative to Xray
- sing-box Setup — universal alternative
- Bypass Internet Censorship — all methods
- Fortify Server Hardening — secure your server
Related Tools
- VPN Leak Test — verify proxy works
- Port Scanner — check ports
- What's My IP — verify IP
- Speed Test — test speed